From dcbf8fa8e31007d95a9651ab478d81074412fb7c Mon Sep 17 00:00:00 2001 From: MichaIng <28480705+MichaIng@users.noreply.github.com> Date: Mon, 19 Aug 2019 15:09:44 +0200 Subject: [PATCH 1/9] Harden data protection .htaccess + Set "Satisfy All" whenever available, as well on Apache 2.4+. This is required to override possible "Satisfy Any" on parent dir, which otherwise would allow direct access to data, regardless of "Require" directive. + Set "Deny from all" as well whenever available, to block access regardless of which access control directive takes priority. + Assume Apache 2.2 only, if mod_authz_core and mod_access_compat are both not available, to avoid doubled directives. In this case set "Deny from all" directive only if the providing mod_authz_host module is available. "Satisfy" is a core directive on Apache 2.2. + Update Apache version strings. Regarding the used directives/modules, Apache 2.4 and 2.5 behave the same. + Add ordering spaces to better reflect the nested directives and to match style of other .htaccess files. Fixes: https://github.com/nextcloud/server/issues/6449 Signed-off-by: Micha Felle --- lib/private/Setup.php | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/lib/private/Setup.php b/lib/private/Setup.php index d7c6df3535..024d0754c6 100644 --- a/lib/private/Setup.php +++ b/lib/private/Setup.php @@ -542,19 +542,27 @@ class Setup { //Require all denied $now = date('Y-m-d H:i:s'); $content = "# Generated by Nextcloud on $now\n"; - $content.= "# line below if for Apache 2.4\n"; + $content.= "# Section for Apache 2.4 and 2.5\n"; $content.= "\n"; - $content.= "Require all denied\n"; - $content.= "\n\n"; - $content.= "# line below if for Apache 2.2\n"; - $content.= "\n"; - $content.= "deny from all\n"; - $content.= "Satisfy All\n"; - $content.= "\n\n"; - $content.= "# section for Apache 2.2 and 2.4\n"; - $content.= "\n"; - $content.= "IndexIgnore *\n"; + $content.= " Require all denied\n"; $content.= "\n"; + $content.= "\n"; + $content.= " Deny from all\n"; + $content.= " Satisfy All\n"; + $content.= "\n\n"; + $content.= "# Section for Apache 2.2\n"; + $content.= "\n"; + $content.= " \n"; + $content.= " \n"; + $content.= " Deny from all\n"; + $content.= " \n"; + $content.= " Satisfy All\n"; + $content.= " \n"; + $content.= "\n\n"; + $content.= "# Section for Apache 2.2 to 2.5\n"; + $content.= "\n"; + $content.= " IndexIgnore *\n"; + $content.= ""; $baseDir = \OC::$server->getConfig()->getSystemValue('datadirectory', \OC::$SERVERROOT . '/data'); file_put_contents($baseDir . '/.htaccess', $content); From e84cdc609a87d46db737e1dbdc5680321ce6939d Mon Sep 17 00:00:00 2001 From: MichaIng <28480705+MichaIng@users.noreply.github.com> Date: Mon, 19 Aug 2019 15:17:39 +0200 Subject: [PATCH 2/9] Harden config protection .htaccess + Set "Satisfy All" whenever available, as well on Apache 2.4+. This is required to override possible "Satisfy Any" on parent dir, which otherwise would allow direct access to data, regardless of "Require" directive. + Set "Deny from all" as well whenever available, to block access regardless of which access control directive takes priority. + Assume Apache 2.2 only, if mod_authz_core and mod_access_compat are both not available, to avoid doubled directives. In this case set "Deny from all" directive only if the providing mod_authz_host module is available. "Satisfy" is a core directive on Apache 2.2. + Update Apache version strings. Regarding the used directives/modules, Apache 2.4 and 2.5 behave the same. + Add ordering spaces to better reflect the nested directives and to match style of other .htaccess files. Fixes: #6449 (for the config directory) Signed-off-by: Micha Felle --- config/.htaccess | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/config/.htaccess b/config/.htaccess index 853aed187d..192cdd2aa9 100644 --- a/config/.htaccess +++ b/config/.htaccess @@ -1,14 +1,23 @@ -# line below if for Apache 2.4 +# Section for Apache 2.4 and 2.5 -Require all denied + Require all denied + + + Deny from all + Satisfy All -# line below if for Apache 2.2 +# Section for Apache 2.2 -deny from all + + + Deny from all + + Satisfy All + -# section for Apache 2.2 and 2.4 +# Section for Apache 2.2 to 2.5 -IndexIgnore * + IndexIgnore * From 01b558c8b4998733358dc1181fb9dc7084fdce2d Mon Sep 17 00:00:00 2001 From: MichaIng <28480705+MichaIng@users.noreply.github.com> Date: Mon, 19 Aug 2019 15:29:48 +0200 Subject: [PATCH 3/9] Update lib/private/Setup.php + Remove unnecessary spaces from code Co-Authored-By: Daniel Kesselberg --- lib/private/Setup.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/private/Setup.php b/lib/private/Setup.php index 024d0754c6..d40e03062b 100644 --- a/lib/private/Setup.php +++ b/lib/private/Setup.php @@ -540,7 +540,7 @@ class Setup { public static function protectDataDirectory() { //Require all denied - $now = date('Y-m-d H:i:s'); + $now = date('Y-m-d H:i:s'); $content = "# Generated by Nextcloud on $now\n"; $content.= "# Section for Apache 2.4 and 2.5\n"; $content.= "\n"; From a849b329a74186d2b2ff79af4b14fa511d010802 Mon Sep 17 00:00:00 2001 From: MichaIng <28480705+MichaIng@users.noreply.github.com> Date: Mon, 19 Aug 2019 15:40:00 +0200 Subject: [PATCH 4/9] Use syntax with cases according to official docs + Ref: https://github.com/nextcloud/server/pull/16792/files#r315207691 Signed-off-by: Micha Felle --- config/.htaccess | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/config/.htaccess b/config/.htaccess index 192cdd2aa9..857df9bbba 100644 --- a/config/.htaccess +++ b/config/.htaccess @@ -1,23 +1,23 @@ # Section for Apache 2.4 and 2.5 - + Require all denied - - + + Deny from all Satisfy All - + # Section for Apache 2.2 - - - + + + Deny from all - + Satisfy All - - + + # Section for Apache 2.2 to 2.5 - + IndexIgnore * - + From 51a35bb1cbccc3e5dde610e41c8cc89321d33e93 Mon Sep 17 00:00:00 2001 From: MichaIng <28480705+MichaIng@users.noreply.github.com> Date: Mon, 19 Aug 2019 15:50:48 +0200 Subject: [PATCH 5/9] Minor syntax + Use Apache syntax with cases according to official docs: https://github.com/nextcloud/server/pull/16792/files#r315207691 + Add missing whitespace for concatenating strings to variable: https://github.com/nextcloud/server/pull/16792/files#r315207520 + Apache 2.5 will be released as 2.6: https://github.com/nextcloud/server/pull/16792/files#r315206147 Signed-off-by: Micha Felle --- lib/private/Setup.php | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/lib/private/Setup.php b/lib/private/Setup.php index d40e03062b..7811754ddc 100644 --- a/lib/private/Setup.php +++ b/lib/private/Setup.php @@ -542,27 +542,27 @@ class Setup { //Require all denied $now = date('Y-m-d H:i:s'); $content = "# Generated by Nextcloud on $now\n"; - $content.= "# Section for Apache 2.4 and 2.5\n"; - $content.= "\n"; - $content.= " Require all denied\n"; - $content.= "\n"; - $content.= "\n"; - $content.= " Deny from all\n"; - $content.= " Satisfy All\n"; - $content.= "\n\n"; - $content.= "# Section for Apache 2.2\n"; - $content.= "\n"; - $content.= " \n"; - $content.= " \n"; - $content.= " Deny from all\n"; - $content.= " \n"; - $content.= " Satisfy All\n"; - $content.= " \n"; - $content.= "\n\n"; - $content.= "# Section for Apache 2.2 to 2.5\n"; - $content.= "\n"; - $content.= " IndexIgnore *\n"; - $content.= ""; + $content .= "# Section for Apache 2.4 to 2.6\n"; + $content .= "\n"; + $content .= " Require all denied\n"; + $content .= "\n"; + $content .= "\n"; + $content .= " Deny from all\n"; + $content .= " Satisfy All\n"; + $content .= "\n\n"; + $content .= "# Section for Apache 2.2\n"; + $content .= "\n"; + $content .= " \n"; + $content .= " \n"; + $content .= " Deny from all\n"; + $content .= " \n"; + $content .= " Satisfy All\n"; + $content .= " \n"; + $content .= "\n\n"; + $content .= "# Section for Apache 2.2 to 2.6\n"; + $content .= "\n"; + $content .= " IndexIgnore *\n"; + $content .= ""; $baseDir = \OC::$server->getConfig()->getSystemValue('datadirectory', \OC::$SERVERROOT . '/data'); file_put_contents($baseDir . '/.htaccess', $content); From 241145508844532d2d0f530c0dc09cce1aad4ba0 Mon Sep 17 00:00:00 2001 From: MichaIng <28480705+MichaIng@users.noreply.github.com> Date: Mon, 19 Aug 2019 15:51:55 +0200 Subject: [PATCH 6/9] Apache 2.5 will be released as 2.6 + Ref: https://github.com/nextcloud/server/pull/16792/files#r315206147 Signed-off-by: Micha Felle --- config/.htaccess | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/.htaccess b/config/.htaccess index 857df9bbba..eda29a03ee 100644 --- a/config/.htaccess +++ b/config/.htaccess @@ -1,4 +1,4 @@ -# Section for Apache 2.4 and 2.5 +# Section for Apache 2.4 to 2.6 Require all denied @@ -17,7 +17,7 @@ -# Section for Apache 2.2 to 2.5 +# Section for Apache 2.2 to 2.6 IndexIgnore * From 592eecdb7d6b469515cb4231056a8208a548d0aa Mon Sep 17 00:00:00 2001 From: MichaIng Date: Thu, 26 Sep 2019 12:37:07 +0200 Subject: [PATCH 7/9] Add "Order" to assure that no parental "Allow" can grant access Signed-off-by: MichaIng --- config/.htaccess | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/.htaccess b/config/.htaccess index eda29a03ee..13ca28758c 100644 --- a/config/.htaccess +++ b/config/.htaccess @@ -3,6 +3,7 @@ Require all denied + Order Allow,Deny Deny from all Satisfy All @@ -11,6 +12,7 @@ + Order Allow,Deny Deny from all Satisfy All From c7e66ec848cfce75b8eb3f635f21255e3967def2 Mon Sep 17 00:00:00 2001 From: MichaIng Date: Thu, 26 Sep 2019 12:38:58 +0200 Subject: [PATCH 8/9] Add "Order" to assure that no parental "Allow" can grant access Signed-off-by: MichaIng --- lib/private/Setup.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/private/Setup.php b/lib/private/Setup.php index 7811754ddc..3fbfc3da2b 100644 --- a/lib/private/Setup.php +++ b/lib/private/Setup.php @@ -547,6 +547,7 @@ class Setup { $content .= " Require all denied\n"; $content .= "\n"; $content .= "\n"; + $content .= " Order Allow,Deny"; $content .= " Deny from all\n"; $content .= " Satisfy All\n"; $content .= "\n\n"; @@ -554,6 +555,7 @@ class Setup { $content .= "\n"; $content .= " \n"; $content .= " \n"; + $content .= " Order Allow,Deny"; $content .= " Deny from all\n"; $content .= " \n"; $content .= " Satisfy All\n"; From 5afd7abf4481f019ad0044393b4734645e40f5af Mon Sep 17 00:00:00 2001 From: MichaIng Date: Thu, 31 Oct 2019 20:15:49 +0100 Subject: [PATCH 9/9] Add missing newlines to .htaccess Signed-off-by: MichaIng --- lib/private/Setup.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/private/Setup.php b/lib/private/Setup.php index 3fbfc3da2b..e360319c5b 100644 --- a/lib/private/Setup.php +++ b/lib/private/Setup.php @@ -547,7 +547,7 @@ class Setup { $content .= " Require all denied\n"; $content .= "\n"; $content .= "\n"; - $content .= " Order Allow,Deny"; + $content .= " Order Allow,Deny\n"; $content .= " Deny from all\n"; $content .= " Satisfy All\n"; $content .= "\n\n"; @@ -555,7 +555,7 @@ class Setup { $content .= "\n"; $content .= " \n"; $content .= " \n"; - $content .= " Order Allow,Deny"; + $content .= " Order Allow,Deny\n"; $content .= " Deny from all\n"; $content .= " \n"; $content .= " Satisfy All\n";